Sightline

High

lunary

Improper Access Control in Template Version Retrieval

An Insecure Direct Object Reference (IDOR) vulnerability in lunary-ai/lunary allows unauthorized viewing of any project prompts by supplying a prompt ID. This issue affects version 1.2.2 and was patched in version 1.2.25.

Available publicly on May 20 2024 | Available with Premium on May 19 2024

CVE:

CVE-2024-5131

CWE:

284:Improper Access Control

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Credit:

fewword

Assess Detect

Premium

Remediate

Remediation Steps

Update to version 1.2.25 or later.
Implement proper authorization checks to ensure that a user requesting prompt details is authorized to view the prompt associated with the supplied ID.
Regularly audit and review code for potential IDOR vulnerabilities.
Consider implementing rate limiting and logging to detect and mitigate brute-force attempts to guess prompt IDs.

Patch Details

Fixed Version: 1.2.25
Patch Commit: https://github.com/lunary-ai/lunary/commit/ddfd497afd017a6946c582a1a806687fdac888bf

Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have 568- related security advisories that are available with Sightline Premium.